feat: Add support for skipping email_verified claim requirement per issuer (#2220)

Fixes #2219

Some enterprise identity providers like Microsoft Entra (Azure AD) and
ADFS don't include the email_verified claim in their OIDC tokens because
email verification happens through their centralized identity management
processes rather than during OIDC token issuance. This caused Fulcio to
reject valid tokens from these providers, impacting some enterprise
deployments.

Added a new optional SkipEmailVerification boolean field to the OIDCIssuer
configuration struct. When set to true for a specific issuer, Fulcio will
skip the email_verified claim check during principal creation while still
validating email format and embedding it in the certificate. This approach
maintains security by default (the field defaults to false) while allowing
operators to explicitly opt-in for trusted internal identity providers.

The implementation moves the issuer configuration lookup earlier in
PrincipalFromIDToken so we can access the SkipEmailVerification flag
before checking email_verified. For meta-issuers with wildcard patterns,
the flag is propagated when constructing concrete issuer configurations.

Added tests coverage for scenarios for tokens with missing email_verified
claims, explicit false values, and true values when skip is enabled.
Updated config parsing tests to verify the new field can be read from
both YAML and JSON configurations.

Signed-off-by: Morgan Jones <[email protected]>

Author: mogthesprog

fulcio.proto

@@ -241,4 +241,7 @@ message OIDCIssuer {
     string issuer_type = 6;
     // The expected subject domain. Only present when the OIDC issuer issues tokens for URI or username identities.
     string subject_domain = 7;
+    // Whether to skip email verification for this issuer.
+    // Only applicable to email-type issuers from trusted internal identity providers.
+    bool skip_email_verification = 8;
 }

fulcio.swagger.json

@@ -245,6 +245,10 @@
         "subjectDomain": {
           "type": "string",
           "description": "The expected subject domain. Only present when the OIDC issuer issues tokens for URI or username identities."
+        },
+        "skipEmailVerification": {
+          "type": "boolean",
+          "description": "Whether to skip email verification for this issuer.\nOnly applicable to email-type issuers from trusted internal identity providers."
         }
       },
       "description": "Metadata about an OIDC issuer."

pkg/config/config.go

@@ -133,6 +133,11 @@ type OIDCIssuer struct {
 	// This is used to trust the TLS certificate signed by an internal CA when interacting
 	// with some OIDC providers, preventing x509 certificate verification failures.
 	CACert string `json:"CACert,omitempty" yaml:"ca-cert,omitempty"`
+
+	// SkipEmailVerification skips the email_verified claim check for email-type issuers.
+	// This should only be set to true for trusted internal identity providers (e.g., Microsoft Entra, ADFS)
+	// that perform email verification through their own processes but don't include the email_verified claim.
+	SkipEmailVerification bool `json:"SkipEmailVerification,omitempty" yaml:"skip-email-verification,omitempty"`
 }
 
 func metaRegex(issuer string) (*regexp.Regexp, error) {
@@ -168,12 +173,13 @@ func (fc *FulcioConfig) GetIssuer(issuerURL string) (OIDCIssuer, bool) {
 			// If it matches, then return a concrete OIDCIssuer
 			// configuration for this issuer URL.
 			return OIDCIssuer{
-				IssuerURL:     issuerURL,
-				ClientID:      iss.ClientID,
-				Type:          iss.Type,
-				IssuerClaim:   iss.IssuerClaim,
-				SubjectDomain: iss.SubjectDomain,
-				CIProvider:    iss.CIProvider,
+				IssuerURL:             issuerURL,
+				ClientID:              iss.ClientID,
+				Type:                  iss.Type,
+				IssuerClaim:           iss.IssuerClaim,
+				SubjectDomain:         iss.SubjectDomain,
+				CIProvider:            iss.CIProvider,
+				SkipEmailVerification: iss.SkipEmailVerification,
 			}, true
 		}
 	}
@@ -256,24 +262,26 @@ func (fc *FulcioConfig) ToIssuers() []*fulciogrpc.OIDCIssuer {
 
 	for _, cfgIss := range fc.OIDCIssuers {
 		issuer := &fulciogrpc.OIDCIssuer{
-			Issuer:            &fulciogrpc.OIDCIssuer_IssuerUrl{IssuerUrl: cfgIss.IssuerURL},
-			Audience:          cfgIss.ClientID,
-			SpiffeTrustDomain: cfgIss.SPIFFETrustDomain,
-			ChallengeClaim:    issuerToChallengeClaim(cfgIss.Type, cfgIss.ChallengeClaim),
-			IssuerType:        cfgIss.Type.String(),
-			SubjectDomain:     cfgIss.SubjectDomain,
+			Issuer:                &fulciogrpc.OIDCIssuer_IssuerUrl{IssuerUrl: cfgIss.IssuerURL},
+			Audience:              cfgIss.ClientID,
+			SpiffeTrustDomain:     cfgIss.SPIFFETrustDomain,
+			ChallengeClaim:        issuerToChallengeClaim(cfgIss.Type, cfgIss.ChallengeClaim),
+			IssuerType:            cfgIss.Type.String(),
+			SubjectDomain:         cfgIss.SubjectDomain,
+			SkipEmailVerification: cfgIss.SkipEmailVerification,
 		}
 		issuers = append(issuers, issuer)
 	}
 
 	for metaIss, cfgIss := range fc.MetaIssuers {
 		issuer := &fulciogrpc.OIDCIssuer{
-			Issuer:            &fulciogrpc.OIDCIssuer_WildcardIssuerUrl{WildcardIssuerUrl: metaIss},
-			Audience:          cfgIss.ClientID,
-			SpiffeTrustDomain: cfgIss.SPIFFETrustDomain,
-			ChallengeClaim:    issuerToChallengeClaim(cfgIss.Type, cfgIss.ChallengeClaim),
-			IssuerType:        cfgIss.Type.String(),
-			SubjectDomain:     cfgIss.SubjectDomain,
+			Issuer:                &fulciogrpc.OIDCIssuer_WildcardIssuerUrl{WildcardIssuerUrl: metaIss},
+			Audience:              cfgIss.ClientID,
+			SpiffeTrustDomain:     cfgIss.SPIFFETrustDomain,
+			ChallengeClaim:        issuerToChallengeClaim(cfgIss.Type, cfgIss.ChallengeClaim),
+			IssuerType:            cfgIss.Type.String(),
+			SubjectDomain:         cfgIss.SubjectDomain,
+			SkipEmailVerification: cfgIss.SkipEmailVerification,
 		}
 		issuers = append(issuers, issuer)
 	}

pkg/config/config_network_test.go

@@ -49,8 +49,8 @@ func TestLoadYamlConfig(t *testing.T) {
 	if got.IssuerURL != "https://accounts.google.com" {
 		t.Errorf("expected https://accounts.google.com, got %s", got.IssuerURL)
 	}
-	if got := len(cfg.OIDCIssuers); got != 1 {
-		t.Errorf("expected 1 issuer, got %d", got)
+	if got := len(cfg.OIDCIssuers); got != 2 {
+		t.Errorf("expected 2 issuers, got %d", got)
 	}
 
 	got, ok = cfg.GetIssuer("https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER")
@@ -102,8 +102,8 @@ func TestLoadJsonConfig(t *testing.T) {
 	if got.IssuerURL != "https://accounts.google.com" {
 		t.Errorf("expected https://accounts.google.com, got %s", got.IssuerURL)
 	}
-	if got := len(cfg.OIDCIssuers); got != 1 {
-		t.Errorf("expected 1 issuer, got %d", got)
+	if got := len(cfg.OIDCIssuers); got != 2 {
+		t.Errorf("expected 2 issuers, got %d", got)
 	}
 
 	got, ok = cfg.GetIssuer("https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER")

pkg/config/config_test.go

@@ -50,6 +50,12 @@ oidc-issuers:
     client-id: foo
     type: email
     challenge-claim: email
+  https://internal.example.com:
+    issuer-url: https://internal.example.com
+    client-id: foo
+    type: email
+    challenge-claim: email
+    skip-email-verification: true
 meta-issuers:
   https://oidc.eks.*.amazonaws.com/id/*:
     client-id: bar
@@ -68,6 +74,13 @@ var validJSONCfg = `
 			"ClientID": "foo",
 			"Type": "email",
 			"ChallengeClaim": "email"
+		},
+		"https://internal.example.com": {
+			"IssuerURL": "https://internal.example.com",
+			"ClientID": "foo",
+			"Type": "email",
+			"ChallengeClaim": "email",
+			"SkipEmailVerification": true
 		}
 	},
 	"MetaIssuers": {
@@ -511,6 +524,42 @@ func Test_validateAllowedDomain(t *testing.T) {
 	}
 }
 
+func TestSkipEmailVerificationParsing(t *testing.T) {
+	yamlConfig := `
+oidc-issuers:
+  https://internal.example.com:
+    issuer-url: https://internal.example.com
+    client-id: sigstore
+    type: email
+    skip-email-verification: true
+  https://public.example.com:
+    issuer-url: https://public.example.com
+    client-id: sigstore
+    type: email
+`
+
+	cfg, err := parseConfig([]byte(yamlConfig))
+	if err != nil {
+		t.Fatalf("failed to parse config: %v", err)
+	}
+
+	internalIssuer, ok := cfg.OIDCIssuers["https://internal.example.com"]
+	if !ok {
+		t.Fatal("internal issuer not found")
+	}
+	if !internalIssuer.SkipEmailVerification {
+		t.Error("expected SkipEmailVerification to be true for internal issuer")
+	}
+
+	publicIssuer, ok := cfg.OIDCIssuers["https://public.example.com"]
+	if !ok {
+		t.Fatal("public issuer not found")
+	}
+	if publicIssuer.SkipEmailVerification {
+		t.Error("expected SkipEmailVerification to be false (default) for public issuer")
+	}
+}
+
 func Test_issuerToChallengeClaim(t *testing.T) {
 	if claim := issuerToChallengeClaim(IssuerTypeEmail, ""); claim != "email" {
 		t.Fatalf("expected email subject claim for email issuer, got %s", claim)

pkg/generated/protobuf/fulcio.pb.go

@@ -38,19 +38,21 @@ func PrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (identity.Pr
 	if err != nil {
 		return nil, err
 	}
-	if !emailVerified {
+
+	cfg, ok := config.FromContext(ctx).GetIssuer(token.Issuer)
+	if !ok {
+		return nil, errors.New("invalid configuration for OIDC ID Token issuer")
+	}
+
+	// Check email_verified claim unless the issuer is configured to skip verification
+	if !cfg.SkipEmailVerification && !emailVerified {
 		return nil, errors.New("email_verified claim was false")
 	}
 
 	if !govalidator.IsEmail(emailAddress) {
 		return nil, fmt.Errorf("email address is not valid")
 	}
 
-	cfg, ok := config.FromContext(ctx).GetIssuer(token.Issuer)
-	if !ok {
-		return nil, errors.New("invalid configuration for OIDC ID Token issuer")
-	}
-
 	issuer, err := oauthflow.IssuerFromIDToken(token, cfg.IssuerClaim)
 	if err != nil {
 		return nil, err